Tuesday, February 23, 2016

Apple Versus FBI - What does it really mean?

I have avoided weighing in on the FBI versus Apple fray thus far. While I have an opinion, there are people smarter than me, that are closer to the facts of the matter, and whose perspectives I hold in high regard. With that said, friends and family are turning to me as "the expert in their circle," to help them understand what is going on.

Background.

On February 16, the United States District Court for the Central District of California served Apple, Inc. with an order compelling Apple to assist agents in executing a search warrant. Specifically, the FBI had in its possession an iPhone 5c that was used by a person implicated in the San Bernardino shooting, and that was now deceased.

The order specifically calls for 1) bypassing the auto-erase function that will delete the contents of an iPhone after a certain number of incorrect passwords are entered; 2) enabling the FBI to electronically submit passcodes to the device; and 3) prevent a delay between entering passcodes - all three of which are intentional design decisions by Apple to prevent a malicious attacker from carrying out precisely the activity the FBI wishes to perform.

This particular case goes a step farther, and this is where this crosses from a reasonable request for assistance, to a very dangerous precedent. The order states that Apple is to provide the FBI with a software update for the iPhone, which implements the above-ordered features. The order repeatedly states that the software would only run on the subject device; unlike a physical key however, software will run on any compatible device. Once the genie is released from the bottle, it cannot be put back.

It's not just one phone.

Apple's lawyers release list of other iOS devices waiting for backdoors (Steve Ragan)At present, there are at least 12 iOS devices which the Department of Justice has gone to court to request Apple unlock. As Steve says, "if Apple does as the court demands, the FBI would then go to the courts and force Apple to render reasonable technical assistance from now until such time as Apple goes out of business." In other words, once a court precedent exists, every future phone is fair game.

If the FBI is successful with Apple backdoor, should you ever update your computer again? (Jacob "MalwareJake" Williams)Manufacturer updates are trusted by the system, and run with system-level privileges. In other words, a manufacturer update can do absolutely anything the developer wishes to the system - which is why the security and trust in update procedures is important. "If the vendor can exploit our machines at will to give a third party access, do you really own the machine? Do you really own the data?"

On Ribbons and Ribbon Cutters (Jonathan Zdziarski)The FBI presents this as a case of "cut the ribbon surrounding a device," when in fact they are ordering Apple to invent a forensic ribbon-cutting tool capable of unlocking any iOS device, but promising to only use it on this one iPhone. This is particularly troublesome, because Apple has specifically designed their products so that not even they could break into a customer's device.

It's not just the United States.

Everything You Need to Know About the Apple Versus FBI Case (Troy Hunt)Troy makes the point that the US, UK, Australia, New Zealand, and Canadian governments cooperate with one another, and that any precedent set here by the FBI will be a precedent for the other participating nations. China is watching this case, and could demand the same treatment or ban Apple from selling in China. Likewise with the Russian FSB.

Some technical background

Fox News interview with David Kennedy (video)The court order mandates that Apple violate the security of every iOS device by introducing an intentional software vulnerability that could be exploited by law enforcement, oppressive nation states, and malicious hackers alike.

Statements from the key players

I personally feel upholding this demand sets a dangerous precedent - as Apple CEO Tim Cook stated, the tool the Bi is asking for is one Apple believes too dangerous to create - but it's not my choice to make.

In the end, this will almost certainly be decided in the Supreme Court (and potentially Congress). My hope is that those ultimately making the decisions recognize that it's not just one phone, it's not just the FBI, and it's not just the United States. Upholding a mandate that a US-based company intentionally weaken the security of its customers is a slippery slope, one that weakens the security and privacy of people worldwide, and one that may encourage similar arrangements in other countries.

One final thought: think for a moment about where your iPhone, or Samsung Galaxy, or [insert favorite brand here] is manufactured. It's not in the United States. Let that sink in for a bit.Updated March 28:

What does this mean for you? If the government could break in, so could a hacker. The phone was secured by a 4-digit PIN, so the government needed only a way to get around Apple's password attempt limit, and then could crack the code very quickly. Protect yourself from a malicious hacker by using an alphanumeric passphrase for your device lockscreen.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen